b"           FEDERAL HOUSING FINANCE AGENCY\n             OFFICE OF INSPECTOR GENERAL\n\n\n\n            Clifton Gunderson LLP\xe2\x80\x99s Independent\n         Audit of the Federal Housing Finance Agency\xe2\x80\x99s\n             Information Security Program - 2011\n\n\n\n\nAudit Report: AUD-2011-002                Dated: September 29, 2011\n\x0c                  Clifton Gunderson LLP\xe2\x80\x99s Independent Audit of the Federal Housing\n                         Finance Agency\xe2\x80\x99s Information Security Program - 2011\nWhy FHFA-OIG Contracted for Audit                                      What Clifton Gunderson LLP Found (See Appendix A of\nThe Federal Information Security Management Act of 2002 (FISMA)        this Report)\nrequires agencies to develop, document, and implement agency-          FHFA generally has a sound risk management framework for its\nwide information security programs to protect their information and    information security program. However, information security practices\ninformation systems, including those provided or managed by            were not fully effective to preserve the confidentiality, integrity, and\nanother agency, contractor, or other source. Additionally, FISMA       availability of FHFA\xe2\x80\x99s information and information systems, potentially\nrequires agencies to undergo an annual independent evaluation of       exposing FHFA\xe2\x80\x99s information resources to unauthorized access, use,\ntheir information security programs and practices and an assessment    disclosure, disruption, modification, or destruction.\nof compliance with FISMA. Moreover, FISMA requires the National\n                                                                       Although FHFA\xe2\x80\x99s information security program had a number of\nInstitute of Standards and Technology (NIST) to issue standards and\n                                                                       strengths, including but not limited to its information system security\nguidelines for Federal information and systems including minimum\n                                                                       training, system-level planning, risk assessment, access authorization,\nsecurity requirements. NIST has defined an overall information\n                                                                       and continuous control monitoring, the audit identified security practices\nsecurity risk management framework.\n                                                                       that can be improved. Specifically, FHFA had not:\nAdditionally, the Office of Management and Budget (OMB) has\nissued guidance related to information security including plans of       \xe2\x80\xa2 Finalized, disseminated, and implemented a NIST-recommended\naction and milestones (POA&Ms) for addressing findings from                organization-wide information security program plan that defines\nsecurity control assessments, security impact analyses, and                such key requirements as security-related roles and responsibilities\ncontinuous monitoring activities. POA&Ms provide a roadmap for             and security program controls.\ncontinuous agency security improvement and assist agency officials       \xe2\x80\xa2 Updated the Agency\xe2\x80\x99s policies and procedures to address\nto prioritize corrective action and resource allocation.                   completely all of the NIST-recommended components within the\n                                                                           control families applicable to the FHFA information system\nThe Federal Housing Finance Agency (FHFA) Office of Inspector              environment. For example, key controls in areas such as access\nGeneral (FHFA-OIG) contracted with Clifton Gunderson LLP (CG)              control, configuration management, contingency planning, and\nto conduct a performance audit to fulfill its FISMA responsibilities       incident handling were not fully addressed by FHFA.\nfor an annual independent evaluation of FHFA\xe2\x80\x99s security program.\n                                                                         \xe2\x80\xa2 Developed, disseminated, and implemented an agency-wide\nThe objective of the audit was to evaluate the effectiveness of\n                                                                           information categorization policy and methodology. FHFA had\nFHFA\xe2\x80\x99s information security program and practices and its\n                                                                           categorized its information systems without categorizing the\ncompliance with FISMA and related information security policies,\n                                                                           information used by those systems. NIST describes controls\nprocedures, standards, and guidelines.\n                                                                           related to security categorization, which provides a basis for\nWhat FHFA-OIG Recommends                                                   selecting and implementing controls.\nFHFA-OIG adopted CG\xe2\x80\x99s findings and recommendations. The audit            \xe2\x80\xa2 Implemented adequate procedures for tracking and monitoring\nreport makes five recommendations to FHFA to strengthen its                correction of weaknesses or deficiencies through POA&Ms. As\ninformation security program: (1) finalize the agency-wide                 defined by NIST, the plans should identify tasks needing to be\ninformation security program plan; (2) update policies and                 accomplished, resource requirements, milestones for meeting\nprocedures to address all NIST requirements and recommendations            tasks, and completion dates for milestones.\napplicable to the FHFA information security environment; (3)             \xe2\x80\xa2 Implemented adequate procedures for ensuring remediation of\ndevelop and implement an information categorization policy and             weaknesses noted in network vulnerability assessments.\nmethodology; (4) establish a process to monitor compliance with            Numerous vulnerabilities identified during these assessments were\nprocedures for timely completion of POA&Ms; and (5) track and              not tracked and monitored to completion.\nmonitor remediation actions to address weaknesses identified in        Addressing these control deficiencies in information security practices\nnetwork vulnerability assessments.                                     will strengthen FHFA\xe2\x80\x99s information security program and contribute to\nIn response to the findings and recommendations, FHFA provided         ongoing efforts to achieve reasonable assurance of adequate security\nwritten comments, dated September 19, 2011. The Agency agreed          over information resources.\nwith the recommendations. The complete text of the written\ncomments can be found in Appendix B of this report.\n\nAudit Report: AUD-2011-002                                                                                 Dated: September 29, 2011\n\x0cTABLE OF CONTENTS\nTABLE OF CONTENTS ..................................................................................................................... iii\n\nABBREVIATIONS ............................................................................................................................. iv\n\nPREFACE .......................................................................................................................................... v\n\nAPPENDIX A .................................................................................................................................... vi\n\n       Clifton Gunderson LLP\xe2\x80\x99s Final Audit Report Entitled, Independent Audit of the Federal Housing Finance\n       Agency\xe2\x80\x99s Information Security Program - 2011\n\nAPPENDIX B ................................................................................................................................... vii\n\n       FHFA\xe2\x80\x99s Comments to FHFA-OIG\xe2\x80\x99s Draft Report\n\nAPPENDIX C ................................................................................................................................... xii\n\n       FHFA-OIG\xe2\x80\x99s Response to FHFA\xe2\x80\x99s Comments\n\nAPPENDIX D .................................................................................................................................. xiii\n\n       Summary of Management\xe2\x80\x99s Comments on the Recommendations\n\nADDITIONAL INFORMATION AND COPIES .................................................................................... xiv\n\n\n\n\n         Federal Housing Finance Agency Office of Inspector General \xe2\x80\xa2 AUD-2011-002 \xe2\x80\xa2 September 29, 2011\n                                                                        iii\n\x0cABBREVIATIONS\nCG ........................................................................................................................ Clifton Gunderson\nC&A ................................................................................................. Certification and Accreditation\nCIO ........................................................................................................... Chief Information Officer\nCISO .......................................................................................... Chief Information Security Officer\nFannie Mae......................................................................... Federal National Mortgage Association\nFHFA ........................................................................................... Federal Housing Finance Agency\nFHFA-OIG ...................................... Federal Housing Finance Agency Office of Inspector General\nFHLBanks ...............................................................................................Federal Home Loan Banks\nFreddie Mac .................................................................. Federal Home Loan Mortgage Corporation\nFIPS................................................................................ Federal Information Processing Standards\nFISMA ...................................................... Federal Information Security Management Act of 2002\nGSS ............................................................................................................ General Support System\nGAGAS ......................................................... Generally Accepted Government Auditing Standards\nHERA.......................................................................Housing and Economic Recovery Act of 2008\nIT ................................................................................................................ Information Technology\nNIST ....................................................................... National Institute of Standards and Technology\nOMB .......................................................................................... Office of Management and Budget\nPOA&M ............................................................................................ Plan of Action and Milestones\nRMF .................................................................................................. Risk Management Framework\n\n\n\n\n         Federal Housing Finance Agency Office of Inspector General \xe2\x80\xa2 AUD-2011-002 \xe2\x80\xa2 September 29, 2011\n                                                                     iv\n\x0c                                    Federal Housing Finance Agency\n\n                                       Office of Inspector General\n\n                                              Washington, DC\n\n\n\n\n                                             PREFACE\nFHFA-OIG was established by the Housing and Economic Recovery Act of 2008 (HERA), 1\nwhich amended the Inspector General Act of 1978. 2 FHFA-OIG is authorized to conduct audits,\ninvestigations, and other activities of the programs and operations of FHFA; to recommend\npolicies that promote economy and efficiency in the administration of such programs and\noperations; and to prevent and detect fraud and abuse in them. This is one in a series of audits,\nevaluations, and special reports published as part of FHFA-OIG\xe2\x80\x99s oversight responsibilities to\npromote economy, effectiveness, and efficiency in the administration of FHFA\xe2\x80\x99s programs.\n\nThe objective of this performance audit was to evaluate FHFA\xe2\x80\x99s information security program\nand practices, including FHFA\xe2\x80\x99s compliance with the FISMA and related information security\npolicies, procedures, standards, and guidelines. FHFA-OIG contracted with CG to conduct this\nstatutorily required audit. CG\xe2\x80\x99s audit report is included in Appendix A of this report.\n\nCG\xe2\x80\x99s audit report makes five recommendations to FHFA to assist in strengthening its\ninformation security program. FHFA-OIG adopts these recommendations and believes they will\nhelp the Agency achieve more economical, effective, and efficient operations. FHFA-OIG\nappreciates the assistance of all those who contributed to the audit.\n\nThis report has been distributed to Congress, OMB, and others and will be posted on FHFA-\nOIG\xe2\x80\x99s website, www.fhfaoig.gov/.\n\n\n\n\nRussell A. Rau\nDeputy Inspector General for Audits\n\n\n\n\n1\n    Public Law No. 110-289.\n2\n    Public Law No. 95-452.\n\n         Federal Housing Finance Agency Office of Inspector General \xe2\x80\xa2 AUD-2011-002 \xe2\x80\xa2 September 29, 2011\n                                                       v\n\x0cAPPENDIX A\nClifton Gunderson LLP\xe2\x80\x99s Independent Audit of the Federal Housing Finance Agency\xe2\x80\x99s\nInformation Security Program \xe2\x80\x93 2011, pages 1 \xe2\x80\x93 38.\n\n\n\n\n     Federal Housing Finance Agency Office of Inspector General \xe2\x80\xa2 AUD-2011-002 \xe2\x80\xa2 September 29, 2011\n                                                   vi\n\x0c                                                            t\xc2\xa0\n\nA1\xc2\xa0\n\n                           Clifton Gunderson LLP\xe2\x80\x99s Independent\n\n                       Audit of the Federal Housing Finance Agency\xe2\x80\x99s\n\n                            Information Security Program - 2011\n\n\n\n\n                                      Prepared for the\n\n                              Federal Housing Finance Agency\n\n                                Office of Inspector General\n\n\n\n                                    September 29, 2011\n\n\n\n\n\n4250\xc2\xa0N.\xc2\xa0Fairfax\xc2\xa0Drive\xc2\xa0\nSuite\xc2\xa01020\xc2\xa0\nArlington,\xc2\xa0Virginia\xc2\xa022203\xc2\xa0\ntel:\xc2\xa0\xc2\xa0571\xc2\xad227\xc2\xad9500\xc2\xa0\nfax:\xc2\xa0571\xc2\xad227\xc2\xad9552\xc2\xa0\nwww.cliftoncpa.com\xc2\xa0\n\x0c                                                             Table of Contents\n\n\nExecutive Summary ................................................................................................................................... 3\nBackground ................................................................................................................................................. 6\n   Federal Information Security Management Act ................................................................................. 6\n   NIST Security Standards and Guidelines........................................................................................... 7\n   NIST Risk Management Framework ................................................................................................... 9\n   FHFA Systems Environment .............................................................................................................. 10\n   FHFA Information System Security Program................................................................................... 12\n       Organization...................................................................................................................................... 12\n       Risk Management ............................................................................................................................ 12\n       Information Security Policies and Procedures............................................................................. 13\n       Security Awareness, Training, and Education ............................................................................. 14\n       Incident Response ........................................................................................................................... 14\n       Configuration Management ............................................................................................................ 14\n       Contingency Planning...................................................................................................................... 14\n       Security Performance Measurement............................................................................................. 15\nResults of Audit......................................................................................................................................... 16\n   Overview................................................................................................................................................ 16\n   1.\tFHFA Needs to Document an Agency-Wide Information Security Program Plan................. 18\n   2.\t FHFA Needs to Update Its Information Security Policies and Procedures to Address all\n      Applicable NIST 800-53 Rev. 3 Components.............................................................................. 20\n   3.\tFHFA Needs to Develop an Agency-Wide Information Categorization Policy and\n      Methodology ..................................................................................................................................... 23\n   4.\tFHFA Needs to Strengthen Tracking and Monitoring of Weaknesses and Deficiencies in\n      the Plan of Action and Milestones ................................................................................................. 25\n   5. FHFA Needs to Strengthen Remediation of Vulnerability Assessment Weaknesses .......... 28\nAppendix I \xe2\x80\x93 Objective, Scope and Methodology ............................................................................... 31\nAppendix II \xe2\x80\x93 Summary of Controls Tested ......................................................................................... 35\n\n\n\n\n                                                                              2\n\x0cExecutive Summary\n\nSeptember 29, 2011\n\n\n\nHonorable Steve A. Linick\nInspector General\nFederal Housing Finance Agency\n1625 Eye Street, NW\nWashington, DC 20006\n\nDear Mr. Linick:\n\nThe Federal Information Security Management Act of 2002 (FISMA) requires agencies\nto develop, document, and implement an agency-wide information security program to\nprotect their information and information systems, including those provided or managed\nby another agency, contractor, or other source. Additionally, FISMA requires agencies\nto undergo an annual independent evaluation of the agency\xe2\x80\x99s information security\nprograms and practices and an assessment of compliance with the requirements of the\nAct. The Federal Housing Finance Agency (FHFA) Office of Inspector General (FHFA\xc2\xad\nOIG) contracted with Clifton Gunderson (CG) to conduct a performance audit of the\nFHFA\xe2\x80\x99s information security program and practices related to FISMA. We are pleased\nto provide the Fiscal Year (FY) 2011 FISMA CG Independent Audit Report, detailing the\nresults of our review of FHFA\xe2\x80\x99s information security program.\n\nThe objective of this performance audit was to evaluate the effectiveness of FHFA\xe2\x80\x99s\ninformation security program and practices, including FHFA\xe2\x80\x99s compliance with FISMA\nand related information security policies, procedures, standards and guidelines. The\nFHFA-OIG\xe2\x80\x99s approach for the FY 2011 FISMA audit was a programmatic review of\nFHFA\xe2\x80\x99s governance structure related to the implementation and monitoring of FISMA\nrequirements, and how FHFA has applied the National Institute of Standards and\nTechnology\xe2\x80\x99s (NIST\xe2\x80\x99s) Risk Management Framework (RMF) for managing security\nthroughout the lifecycle of their information systems. The audit included a review of the\nFHFA\xe2\x80\x99s Office of the Chief Information Officer\xe2\x80\x99s (CIO\xe2\x80\x99s) oversight role related to the\nimplementation and monitoring of FISMA requirements, as well as the review of a\nselection of security controls within each of the RMF phases for a sample of information\nsystems, as required by FISMA. The controls assessed include the following NIST\nSpecial Publication (SP) 800-53 Rev. 3, Recommended Security Controls for Federal\nInformation Systems and Organizations (NIST SP 800-53 Rev.3), control families:\nPlanning (PL), Risk Assessment (RA) and Security Assessment and Authorization (CA).\nOur audit was performed in accordance with Generally Accepted Government Auditing\nStandards (GAGAS).\n\nWe found that FHFA generally has a sound RMF for its information security program. In\nparticular, strengths of the program included training, system-level security planning,\nrisk assessment, authorization of system connectivity, and continuous monitoring of\n\n\n                                           3\n\x0csecurity controls. However, information security practices were not fully effective to\npreserve the confidentiality, integrity and availability of FHFA\xe2\x80\x99s information and\ninformation systems, potentially exposing them to unauthorized access, use, disclosure,\ndisruption, modification, or destruction. CG does not consider the deficiencies noted as\na significant deficiency under FISMA. 1 However, CG concluded collectively that the\ndeficiencies are significant in the context of the audit objective as defined for\nperformance audits under GAGAS.\n\nFor example, the audit identified a number of FHFA\xe2\x80\x99s security practices that can be\nimproved. Specifically, FHFA had not:\n\n      \xe2\x8e\xaf\t Finalized, disseminated, and implemented an organization-wide information\n         security program plan.\n      \xe2\x8e\xaf\t Updated the Agency\xe2\x80\x99s information system policies and procedures to completely\n         address all of the components within the control families from NIST SP 800-53\n         Rev. 3 applicable to the FHFA information system environment.\n      \xe2\x8e\xaf\t Developed, disseminated, and implemented an agency-wide information\n         categorization policy and methodology.\n      \xe2\x8e\xaf\t Implemented adequate procedures for tracking and monitoring weaknesses or\n         deficiencies through Plan of Action and Milestones (POA&M).\n      \xe2\x8e\xaf\t Implemented adequate procedures for tracking and monitoring remediation of\n         weaknesses noted from network vulnerability scans.\n\nAddressing these control deficiencies in information security practices will strengthen\nFHFA\xe2\x80\x99s information security program and contribute to ongoing efforts to achieve\nreasonable assurance of adequate security over information resources.\n\nFHFA\xe2\x80\x99s information security program also had a number of strengths, including but not\nlimited to the following:\n\n      \xe2\x8e\xaf\t Providing initial security awareness training to new employees and annual\n         refresher training as well as security specific role based training for FHFA\n         security staff.\n      \xe2\x8e\xaf\t Developing security plans for individual information systems that describe the\n         security controls in place or planned for meeting security requirements and\n         assessing the security controls in the information system to determine the extent\n         to which the controls are implemented correctly, operating as intended, and\n         producing the desired outcome with respect to meeting the security requirements\n         for the system.\n      \xe2\x8e\xaf\t Conducting an assessment of risk, including the likelihood and magnitude of\n         harm, from the unauthorized access, use, disclosure, disruption, modification, or\n\n1\n    See page 33 in this report for the definition of significant deficiency under FISMA.\n\n\n                                                        4\n\x0c      destruction of the information system and the information it processes, stores or\n      transmits, and documenting risk assessment results in a risk assessment report.\n   \xe2\x8e\xaf\t Authorizing connections from the information system to other information\n      systems outside of the authorization boundary through the use of Interconnection\n      Security Agreements.\n   \xe2\x8e\xaf\t Establishing a continuous monitoring strategy and implementing a continuous\n      monitoring program that includes ongoing security control assessments and\n      reporting the security state of the information system to appropriate\n      organizational officials.\nThis report makes five recommendations to assist FHFA in strengthening its information\nsecurity program.\n\nThis performance audit did not constitute an audit of financial statements in accordance\nwith GAGAS. CG was not engaged to, and did not, render an opinion on the FHFA\xe2\x80\x99s\ninternal controls over financial reporting or financial management systems.\nFurthermore, the projection of any conclusions, based on our findings, to future periods\nis subject to the risk that controls may become inadequate because of changes in\nconditions, or because compliance with controls may deteriorate.\n\nSincerely,\n\nCLIFTON GUNDERSON LLP\n\n\na1\xc2\xa0\nArlington, Virginia\nSeptember 29, 2011\n\n\n\n\n                                           5\n\x0cCG\xe2\x80\x99s Independent Audit of FHFA\xe2\x80\x99s Information Security Program - 2011 -\n\n\n\nBackground\n\nOn July 30, 2008, FHFA was established by the Housing and Economic and Recovery\nAct of 2008 (HERA), Public Law No. 110-289. Specifically, HERA abolished two\nexisting Federal agencies, the Office of Federal Housing Enterprise Oversight and the\nFederal Housing Finance Board, and in their place created the FHFA to regulate the\nFederal National Mortgage Association (Fannie Mae), the Federal Home Loan\nMortgage Corporation (Freddie Mac), the 12 Federal Home Loan Banks (FHLBanks),\nand the Office of Finance. FHFA is an independent Federal agency, with a Director,\nappointed by the President and confirmed by the U.S. Senate. Its mission is to provide\neffective supervision, regulation, and housing mission oversight of Fannie Mae, Freddie\nMac and the FHLBanks. FHFA is a non-appropriated, non-apportioned agency that\ndraws its financial resources from assessments on Fannie Mae, Freddie Mac, and the\n12 FHLBanks. The Agency has a $201 million budget for fiscal year 2011 and a staff of\n598.2\n\nFederal Information Security Management Act\n\nThe Federal Information Security Management Act of 2002 (FISMA) was enacted into\nlaw as Title III of the E-Government Act of 2002 (Public Law No. 107-347, December\n17, 2002). Key requirements of FISMA include:\n\n    \xe2\x8e\xaf\t The establishment of an agency-wide information security program to provide\n       information security for the information and information systems that support the\n       operations and assets of the agency, including those provided or managed by\n       another agency, contractor, or other source;\n    \xe2\x8e\xaf\t An annual independent evaluation of the agency\xe2\x80\x99s information security programs\n       and practices; and\n    \xe2\x8e\xaf\t An assessment of compliance with the requirements of the Act.\n\nIn addition, FISMA requires Federal agencies to implement the following:\n\n    \xe2\x8e\xaf\t Periodic risk assessments;\n    \xe2\x8e\xaf\t Information security policies, procedures, standards, and guidelines;\n    \xe2\x8e\xaf\t Delegation of authority to the CIO to ensure compliance with policy;\n    \xe2\x8e\xaf\t Security awareness training programs;\n    \xe2\x8e\xaf\t Periodic testing and evaluation of the effectiveness of security policies,\n       procedures, and practices to be done no less than annually;\n    \xe2\x8e\xaf\t Processes to manage remedial actions for addressing deficiencies;\n\n2\n The Appendix, Other Independent Agencies, Budget of the United States Government, Fiscal Year\n2012, http://www.whitehouse.gov/sites/default/files/omb/budget/fy2012/assets/oia.pdf, pp. 1239-1241.\n\n\n                                                  6\n\x0cCG\xe2\x80\x99s Independent Audit of FHFA\xe2\x80\x99s Information Security Program - 2011 -\n\n\n   \xe2\x8e\xaf\t Procedures for detecting, reporting, and responding to security incidents;\n   \xe2\x8e\xaf\t Plans to ensure continuity of operations; and\n   \xe2\x8e\xaf\t Annual reporting on the adequacy and effectiveness of the information security\n      program.\n\nThe Office of Management and Budget (OMB) is responsible for reporting to Congress\na summary of the results of agency compliance with FISMA requirements. OMB\xe2\x80\x99s\nprincipal written statement of government policy regarding information security is OMB\nCircular No. A-130, Management of Federal Information Resources, Appendix III,\nSecurity of Federal Automated Information Resources (OMB Circular A-130, Appendix\nIII), dated November 28, 2000, which establishes a minimum set of controls to be\nincluded in Federal automated information security programs. In particular, Appendix III\nof OMB Circular A-130 defines adequate security as security commensurate with the\nrisk and magnitude of the harm resulting from loss, misuse, or unauthorized access to\nor modification of information. This includes assuring that systems and applications\nused by the agency operate effectively and provide appropriate confidentiality, integrity,\nand availability, through the use of cost-effective management, personnel, operational,\nand technical controls.\n\nAdditionally, OMB has issued guidance related to information security with regard to\nplans of action and milestones (POA&Ms) for addressing findings from security control\nassessments, security impact analyses, and continuous monitoring activities. Per OMB\nMemoranda M-02-01, Guidance for Preparing and Submitting Security Plans of Action\nand Milestones, POA&Ms provide a roadmap for continuous agency security\nimprovement and assist agency officials with prioritizing corrective action and resource\nallocation.\n\nNIST Security Standards and Guidelines\n\nFISMA requires NIST to provide standards and guidelines pertaining to Federal\ninformation systems.     Standards prescribed are to include information security\nstandards that provide minimum information security requirements and are otherwise\nnecessary to improve the security of Federal information and information systems.\nFISMA requires that Federal agencies comply with Federal Information Processing\nStandards (FIPS) issued by NIST. In addition, NIST develops and issues Special\nPublications (SPs) as recommendations and guidance documents. FIPS Publication\n(PUB) 200, Minimum Security Requirements for Federal Information and Information\nSystems (FIPS PUB 200), mandates the use of NIST SP 800-53 Rev. 3. The purpose\nof NIST SP 800-53 Rev. 3 is to provide guidelines for selecting and specifying security\ncontrols for information systems supporting the agency to meet the requirements of\nFIPS PUB 200. The security controls described in NIST SP 800-53 Rev. 3 are\norganized into 18 families. Each security control family includes security controls\nassociated with the security functionality of the family. In addition, there are three\n\n\n\n\n                                                  7\n\x0cCG\xe2\x80\x99s Independent Audit of FHFA\xe2\x80\x99s Information Security Program - 2011\n\n\ngeneral classes of security controls: management, operational, and technical. 3 The\nNIST SP 800-53 Rev. 3 security control families are as follows:\n\nTable 1: Security Control Families\nSecurity Control Family                            Control Class\nAccess Control                                     Technical\nAudit and Accountability                           Technical\nIdentification and Authentication                  Technical\nSystem and Communications Protection               Technical\nSecurity Assessment and Authorization              Management\nPlanning                                           Management\nRisk Assessment                                    Management\nSystem and Services Acquisition                    Management\nProgram Management                                 Management\nAwareness and Training                             Operational\nConfiguration Management                           Operational\nContingency Planning                               Operational\nIncident Response                                  Operational\nMaintenance                                        Operational\nMedia Protection                                   Operational\nPhysical and Environmental Protection              Operational\nPersonnel Security                                 Operational\nSystem and Information Integrity                   Operational\n\n\n\n\n3\n  According to NIST SP 800-53 Rev. 3, management controls are the security controls for an information\nsystem that focus on the management of risk and the management of information system security.\nOperational controls are the security controls for an information system that are primarily implemented\nand executed by people (as opposed to systems). Technical controls are the security controls for an\ninformation system that are primarily implemented and executed by the information system through\nmechanisms contained in the hardware, software, or firmware components of the system.\n\n\n\n\n                                                  8\n\x0cCG\xe2\x80\x99s Independent Audit of FHFA\xe2\x80\x99s Information Security Program - 2011 -\n\n\nNIST Risk Management Framework\n\nFISMA also requires NIST to develop standards and guidelines to be used by agencies\nto categorize all information and information systems collected or maintained by or on\nbehalf of the agency in order to provide appropriate levels of information security\naccording to a range of risk levels.           FIPS PUB 199, Standards for Security\nCategorization of Federal Information and Information Systems, establishes security\ncategories for information and information systems based on the potential impact on the\nagency should certain events occur which threaten the information and information\nsystems needed by the agency. FISMA defines three security objectives for information\nand information systems, which are also incorporated in the OMB Circular A-130,\nAppendix III, definition of adequate security:\n\nConfidentiality \xe2\x80\x93 A loss of confidentiality is the unauthorized disclosure of information.\n\nIntegrity \xe2\x80\x93 A loss of integrity is the unauthorized modification or destruction of\ninformation.\n\nAvailability \xe2\x80\x93 A loss of availability is the disruption of access to or use of information or\nan information system.\n\nTo assist agencies in improving information security and strengthening risk\nmanagement processes, NIST in partnership with the Department of Defense, the\nOffice of the Director of National Intelligence, and the Committee on National Security\nSystems, developed a common information security framework, NIST\xe2\x80\x99s RMF. The\nRMF, comprised of the following six steps, provides a structured practice for\nincorporating information security and risk management activities into the system\ndevelopment life cycle:\n\n   \xe2\x8e\xaf\t Categorize the information system and the information processed, stored, and\n      transmitted by that system based on an impact analysis.\n\n   \xe2\x8e\xaf\t Select an initial set of baseline security controls for the information system based\n      on the security categorization; tailoring and supplementing the security control\n      baseline as needed based on an organizational assessment of risk and local\n      conditions.\n\n   \xe2\x8e\xaf\t Implement the security controls and describe how the controls are employed\n      within the information system and its environment of operation.\n\n   \xe2\x8e\xaf\t Assess the security controls using appropriate assessment procedures to\n      determine the extent to which the controls are implemented correctly, operating\n      as intended, and producing the desired outcome with respect to meeting the\n      security requirements for the system.\n\n\n\n\n                                                  9\n\x0cCG\xe2\x80\x99s Independent Audit of FHFA\xe2\x80\x99s Information Security Program - 2011 -\n\n\n   \xe2\x8e\xaf\t Authorize information system operation based on a determination of the risk to\n      organizational operations and assets, individuals, other organizations, and the\n      Nation resulting from the operation of the information system and the decision\n      that this risk is acceptable.\n\n   \xe2\x8e\xaf\t Monitor the security controls in the information system on an ongoing basis\n      including assessing control effectiveness, documenting changes to the system or\n      its environment of operation, conducting security impact analyses of the\n      associated changes, and reporting the security state of the system to designated\n      organizational officials.\n\n   NIST SP 800-37 Rev. 1, Guide for Applying the Risk Management Framework to\n   Federal Information Systems: A Security Life Cycle Approach (NIST SP 800-37 Rev.\n   1), provides guidelines for applying the RMF to Federal information systems. This\n   framework is detailed in the graphic below:\n\n   Figure 1: NIST Risk Management Framework\n\n\n\n\nFHFA Systems Environment\n\nFHFA defines the FHFA information system as a set of hardware, software,\ninfrastructure and supporting personnel which work together to provide coordination,\nand decision making capabilities to the Agency. FHFA utilizes technology such as\nsoftware, applications, and hardware for gathering, storing, processing, and transmitting\ninformation. All FHFA systems are identified as major or minor and categorized as high,\nmedium, or low security impact based on FIPS PUB 199 standards. FHFA has one\n\n\n\n\n                                                 10\n\x0cCG\xe2\x80\x99s Independent Audit of FHFA\xe2\x80\x99s Information Security Program - 2011\n\n\nGeneral Support System (GSS),4 13 major applications, and 21 minor applications.5 All\nof the systems are in the production phase of the life cycle except for one minor system\nin the development phase.\n\nThe major systems are:\n\nTable 2: Major FHFA Systems\n    System                                                                  Life Cycle Status\n    CRS.Net \xe2\x80\x93 Call reporting system                                         Production\n    Examiner Workstation (xWorks)                                           Production\n    Avue System                                                             Production\n    WebTA                                                                   Production\n    Information Management System (IMS)                                     Production\n    e-OPF                                                                   Production\n    FHR Navigator                                                           Production\n    FMS \xe2\x80\x93 Financial Management System                                       Production\n    HSPD-12 PIV                                                             Production\n    Managed Trusted Internet Protocol Service (MTIPS)                       Production\n    National Finance Center (NFC)                                           Production\n    Plateau (LMS)                                                           Production\n    USA Staffing                                                            Production\n\nFHFA defines boundaries for its information systems in order to assign protection\nresources to it. Agency information systems that are under the FHFA direct\nmanagement control are called internal systems. FHFA defines externally hosted\nsystems as contractor systems, which are not the Office of Technology and Information\nManagement\xe2\x80\x99s (OTIM\xe2\x80\x99s) responsibility to operate and maintain. For externally hosted\nsystems, Interagency Security Agreements are in place with other agencies. FHFA\n\n\n According to NIST SP 800-18 Rev. 1, Guide to Developing Security Plans for Federal Information\n4\n\nSystems, a general support system is interconnected information resources under the same direct\nmanagement control, which shares common functionality. A general support system normally includes\nhardware, software, information, data, applications, communications, facilities, and people and provides\nsupport for a variety of users and/or applications.\n5\n  According to NIST SP 800-37 Rev. 1, a major application is an application that requires special attention\nto security due to the risk and magnitude of harm resulting from the loss, misuse, or unauthorized access\nto or modification of the information in the application. A minor application is an application, other than a\nmajor application, that requires attention to security due to the risk and magnitude of harm resulting from\nthe loss, misuse, or unauthorized access to or modification of the information in the application. Minor\napplications are typically included as part of a general support system.\n\n\n\n\n                                                     11\n\x0cCG\xe2\x80\x99s Independent Audit of FHFA\xe2\x80\x99s Information Security Program - 2011\n\n\nsubsystems typically fall under the same management authority and are included within\na single system security plan. These systems have the same function or mission\nobjective and essentially the same operating characteristics and security needs, and\nreside in the same general operating environment. FHFA uses system boundaries for\npurposes of security accreditation.6\n\nThe FHFA GSS provides information sharing and data processing capabilities via\ninterconnected workstations and servers. It is utilized by FHFA employees and\ncontractors for network services, e-mail, and connectivity to FHFA\xe2\x80\x99s Intranet, local area\nnetwork and the public Internet. FHFA employs a variety of applications (both\ncommercial off-the-shelf products and custom applications developed in-house) running\non the GSS. The GSS is extended for mobile device users using Exchange Server to\nsupport encrypted mobile devices. FHFA relies on the GSS automated information\nresources to accomplish its core business operations and processes. The FHFA GSS\nis a closed system, in that only FHFA-owned systems can directly connect to the\nnetwork.     It supports major and minor applications processing \xe2\x80\x9csensitive but\nunclassified\xe2\x80\x9d information.\n\nFHFA Information System Security Program\n\nOrganization\n\nFHFA\xe2\x80\x99s information technology (IT) security organization includes the CIO, the Chief\nInformation Security Officer (CISO), and eight additional staff responsible for training\nand awareness, network scanning and monitoring, and certification and accreditation\n(C&A) activities including continuous monitoring. The role of the CIO is to act as\nprimary advisor to the Acting Director and senior FHFA staff on all matters related to\ninformation technology oversight, lead the analysis of technology requirements, and\nmanage the life cycle of technology at FHFA. The CISO directs the management of\nFHFA\xe2\x80\x99s IT security program.\n\nRisk Management\n\nFHFA\xe2\x80\x99s information security program is based on NIST\xe2\x80\x99s RMF and provides FHFA the\ncapability to manage information system-related security risks in line with the\norganization\xe2\x80\x99s mission and business objectives. Overall risk strategy for information\nsystems is established by the senior leadership to ensure that information security\nrequirements, including necessary security controls, are integrated into the\norganization\xe2\x80\x99s enterprise architecture and system development life cycle processes.\nFollowing is a diagram depicting how FHFA is implementing NIST\xe2\x80\x99s RMF.\n\n\n6\n According to NIST SP 800-53 Rev. 3, security accreditation is the official management decision given by\na senior agency official to authorize operation of an information system and to explicitly accept the risk to\nagency operations (including mission, functions, image, or reputation), agency assets, or individuals,\nbased on the implementation of an agreed-upon set of security controls.\n\n\n\n                                                     12\n\x0cCG\xe2\x80\x99s Independent Audit of FHFA\xe2\x80\x99s Information Security Program - 2011\n\n\nFigure 2: FHFA Information Systems Risk Management Framework\n\n                                    Security\xc2\xa0Life\xc2\xa0Cycle\n\n                                           CATEGORIZE\n                                       Information Systems\n\n                                      FHFA defines criticality/\n                                      sensitivity of information\n                                      system according to impact\n                                      to mission/business.\n         MONITOR                                                                SELECT\n     Security Controls                                                          Security\n                                                                              Requirements\n FHFA continuously tracks\n                                             INVENTORY                   FHFA selects baseline\n changes to the information                                              security controls and\n system that. may affect security\n                                      of Information Systems\n                                                                         applies enhanced controls\n controls and reassesses                                                 based on risk assessment.\n control effectiveness               FHFA utilizes an inventory to\n                                     maintain and track the status of\n                                     information systems within risk\n                                     management process. The\n                                     inventory is updated when a\n                                     FIPS PUB 199 characterization             IMPLEMENT\n       AUTHORIZE                     has been completed for a new                 Controls\n   Information System                system, a system is retired, or a\n                                     major change to a system              FHFA implements security\n  FHFA considers risk to the         triggers the recertification and      controls and applies\n  organizational operations          accreditation of the system.          security configuration\n                                                                           settings.\n  and assets, individuals,\n  and other organizations. If\n  acceptable, authorizes                      ASSESS\n  operation.                              Security Controls\n\n                                      FHFA determines security\n                                      control effectiveness (i.e.,\n                                      operating as intended,\n                                      meeting security\n                                      requirements)\n\n\n\n\nFHFA has developed an inventory of information systems that includes systems in\nproduction and development as part of its information systems risk management\nframework. The CISO reviews all new IT investments, which allow the OTIM security\nteam to monitor the development of new systems and changes to existing systems.\nSystems must be approved by the CIO to be included in the inventory. The inventory is\nupdated when a new system is approved, a system that is no longer used is retired, or a\nmajor change to a system triggers the security assessment and authorization of the\nsystem.\n\nInformation Security Policies and Procedures\n\nFHFA has documented information security policies and procedures based on the\ncontrols defined by NIST SP 800-53 Rev. 3. The policies and procedures are organized\nby and cover each of the NIST SP 800-53 Rev. 3 control families. The information\nsecurity policies and procedures are posted on the FHFA Intranet.\n\n\n\n\n                                                              13\n\x0cCG\xe2\x80\x99s Independent Audit of FHFA\xe2\x80\x99s Information Security Program - 2011\n\n\nSecurity Awareness, Training, and Education\n\nFHFA information system users are required to have annual security awareness training\ncommensurate with their system responsibilities prior to gaining access to Agency\ninformation systems. Initial security awareness training is provided by requiring new\nsystem users to read and acknowledge FHFA\xe2\x80\x99s Rules of Behavior. Annual security\nawareness refresher training is provided using the Plateau Learning Management\nSystem, which tracks completion of training by all employees and contractors.\n\nIncident Response\n\nNetwork incidents are monitored by Managed Trusted Internet Provider. FHFA\nemployees and contractors are required to immediately report all real or suspected\ncomputer security incidents to the FHFA Help Desk. The incident response team\ninvestigates incidents and reports the incidents to the CISO and CIO. Reporting of\nincidents to the United States Computer Emergency Readiness Team (US-CERT) is\nbased on the category of the incident.7\n\nConfiguration Management\n\nFHFA supports two distinct functions within configuration management. The first\nfunction, configuration management, determines the initial configuration of hardware\nand software. The other, change management, involves modifying hardware and\nsoftware in production. FHFA\xe2\x80\x99s Change Control Board is responsible for the review and\napproval/rejection of all production change requests for updates to production\nenvironments. A Change Control Manager is responsible for ensuring system changes\nfollow the change control process. The configuration management policy and\nprocedures are used in conjunction with the system development life cycle methodology\nwhich establishes procedures, practices, and guidelines governing the system lifecycle\nof information systems within FHFA.\n\nContingency Planning\n\nInformation system owners are required to develop detailed business, communications,\nand IT recovery plans and the associated recovery capability for FHFA information\nsystems. Recovery capability is tested annually. All personnel involved with the\nplanning efforts are trained in executing the plan and the recovery capability is tested\nannually. In addition, a Continuity of Operations Program is developed including a\nBusiness Impact Analysis.\n\n\n\n\n7\n  According to NIST SP 800-53 Rev. 3, current Federal policy requires that all Federal agencies (unless\nspecifically exempted from such requirements) report security incidents to the US-CERT within specified\ntime frames designated in the US-CERT Concept of Operations for Federal Cyber Security Incident\nHandling.\n\n\n                                                  14\n\x0cCG\xe2\x80\x99s Independent Audit of FHFA\xe2\x80\x99s Information Security Program - 2011\n\n\nSecurity Performance Measurement\n\nSecurity performance is measured by a monthly POA&M report,8 which tracks open and\nclosed POA&Ms. The security team discusses open POA&Ms with system owners\neach month and a quarterly meeting is held to discuss POA&M status. POA&M status\nfor contractor systems is reviewed on a quarterly basis.\n\n\n\n\n8\n According to NIST SP 800-53 Rev. 3, a POA&M is a document that identifies tasks needing to be\naccomplished. It details resources required to accomplish the elements of the plan, any milestones in\nmeeting the tasks, and scheduled completion dates for the milestones.\n\n\n                                                 15\n\x0cCG\xe2\x80\x99s Independent Audit of FHFA\xe2\x80\x99s Information Security Program - 2011 -\n\n\nResults of Audit\n\nOverview\n\nFISMA requires organizations to develop and implement an organization-wide\ninformation security program to address information security for the information and\ninformation systems that support the operations and assets of the organization,\nincluding those provided or managed by another organization, contractor, or other\nsource. Key elements of an organization-wide information security program include\ndocumentation of the information security program management controls that serve as\nthe foundation for the agency\xe2\x80\x99s information security program, documentation of the\nsecurity controls designated as common controls9 and identifying the personnel within\nthe agency responsible for the development, implementation, assessment,\nauthorization, and monitoring of those controls. The organization-wide information\nsecurity program plan combined with the security plans developed for each information\nsystem comprise the security controls employed by the agency in their entirety. A\nsuccessful information security program is dependent upon the implementation of both\nthe agency\xe2\x80\x99s program management controls as well as the implementation of the\nsecurity controls for the agency\xe2\x80\x99s information systems.\n\nThe Agency\xe2\x80\x99s information system policies and procedures are critical in ensuring the\norganization-wide information security program is adhered to. The first security control\nin each NIST SP 800-53 Rev. 3 control family specifies the requirement for policies and\nprocedures. These policies and procedures should provide clear guidance to Agency\npersonnel as to what their responsibilities are with regard to information system security\nrequirements.\n\nCG\xe2\x80\x99s audit included performing a review of FHFA\xe2\x80\x99s governance structure related to the\nimplementation of FHFA\xe2\x80\x99s information security program and a detailed review of the\ndesign for FHFA\xe2\x80\x99s information security policies and procedures to determine whether\nthe policies and procedures, if properly implemented, would comply with NIST\nrequirements for each security control family.\n\nAdditionally, CG assessed how FHFA has applied NIST\xe2\x80\x99s RMF for managing security of\ntheir information systems, which consists of six steps: 1 - Categorizing, 2 - Selecting, 3\n- Implementing, 4 - Assessing, 5 - Authorizing, and 6 - Monitoring (as shown in Figure 1,\npage 10).\n\n\n9\n  According to NIST SP 800-53 Rev. 3, a common control is a security control that is inherited by one or\nmore organizational information systems. Security control inheritance is a situation in which an\ninformation system or application receives protection from security controls (or portions of security\ncontrols) that are developed, implemented, assessed, authorized, and monitored by entities other than\nthose responsible for the system or application; entities either internal or external to the organization\nwhere the system or application resides.\n\n\n\n\n                                                   16\n\x0cCG\xe2\x80\x99s Independent Audit of FHFA\xe2\x80\x99s Information Security Program - 2011 -\n\n\nIn order to evaluate how extensively FHFA has implemented the RMF, CG performed\ntesting of selected NIST SP 800-53 Rev. 3 controls that correlate with each of the steps\nand tasks defined within the framework. Accordingly, CG tested program level controls\nincluding security categorization, information system inventory, risk assessment,\nsecurity planning, security assessment, POA&Ms, and reviewed a judgmental sample of\nNIST SP 800-53 Rev. 3 controls related to information security program management.\n\nWe found that FHFA generally has a sound RMF for its information security program. In\nparticular, strengths of the program included training, system-level security planning,\nrisk assessment, authorization of system connectivity, and continuous monitoring of\nsecurity controls. However, information security practices were not fully effective to\npreserve the confidentiality, integrity, and availability of FHFA\xe2\x80\x99s information and\ninformation systems, potentially exposing them to unauthorized access, use, disclosure,\ndisruption, modification, or destruction. CG does not consider the deficiencies noted as\na significant deficiency under FISMA. 10 However, CG concluded collectively that the\ndeficiencies are significant in the context of the audit objective as defined for\nperformance audits under GAGAS.\n\nThe audit identified FHFA\xe2\x80\x99s security practices that can be improved. Specifically, FHFA\nhad not:\n\n      \xe2\x8e\xaf\t Finalized, disseminated, and implemented an organization-wide information\n         security program plan.\n      \xe2\x8e\xaf\t Updated the Agency\xe2\x80\x99s information system policies and procedures to completely\n         address all of the components within the control families from NIST SP 800-53\n         Rev. 3 applicable to the FHFA information system environment.\n      \xe2\x8e\xaf\t Developed, disseminated, and implemented an agency-wide information\n         categorization policy and methodology.\n      \xe2\x8e\xaf\t Implemented adequate procedures for tracking and monitoring weaknesses or\n         deficiencies through POA&Ms.\n      \xe2\x8e\xaf\t Implemented adequate procedures for tracking and monitoring remediation of\n         weaknesses noted from network vulnerability scans.\n\nAddressing these control deficiencies in security practices will strengthen FHFA\xe2\x80\x99s\ninformation security program and contribute to ongoing efforts to achieve reasonable\nassurance of adequate security over information resources.\n\nTable four in Appendix II (page 35) of this report summarizes the results of testing\nperformed of the NIST SP 800-53 Rev. 3 controls selected for evaluation, associated\nwith the information security program management controls, the RMF steps, and the\nrelated tasks. Our detailed findings are discussed on pages 18-30.\n\n\n10\n     See page 33 in this report for the definition of significant deficiency under FISMA.\n\n\n                                                        17\n\x0cCG\xe2\x80\x99s Independent Audit of FHFA\xe2\x80\x99s Information Security Program - 2011 -\n\n\nFinding 1 - FHFA Needs to Document an Agency-Wide Information Security\nProgram Plan\n\nFHFA has not finalized and disseminated an organization-wide information security program\nplan as recommended by the NIST SP 800-53 Rev. 3 and the Federal Housing Finance\nAgency Program Management Procedures.\n\nNIST SP 800-53 Rev. 3 control PM-1, Program Management Information Security\nProgram Plan, states:\n\n   The organization:\n   a.\t Develops and disseminates an organization-wide information security program\n       plan that:\n       \xe2\x8e\xaf Provides an overview of the requirements for the security program and a\n          description of the security program management controls and common\n          controls in place or planned for meeting those requirements;\n       \xe2\x8e\xaf\t Provides sufficient information about the program management controls and\n          common controls (including specification of parameters for any assignment\n          and selection operations either explicitly or by reference) to enable an\n          implementation that is unambiguously compliant with the intent of the plan\n          and a determination of the risk to be incurred if the plan is implemented as\n          intended;\n       \xe2\x8e\xaf\t Includes roles, responsibilities, management commitment, coordination\n          among organizational entities, and compliance;\n       \xe2\x8e\xaf\t Is approved by a senior official with responsibility and accountability for the\n          risk being incurred to organizational operations (including mission, functions,\n          image, and reputation), organizational assets, individuals, other\n          organizations, and the nation;\n   b.\t Reviews the organization-wide information security program plan [Assignment:\n       organization-defined frequency]; and\n   c.\t Revises the plan to address organizational changes and problems identified\n       during plan implementation or security control assessments.\n\nThe Federal Housing Finance Agency Program Management Procedures documented\nin August of 2010 require the CISO to develop an agency-wide information security\nprogram plan. FHFA hired a CISO in February 2011 who has been in the process of\ndeveloping and finalizing the plan.\n\nThe organization-wide security program plan should address information security for the\ninformation and information systems that support the operations and assets of the\nAgency. Without a documented and approved security program plan, there is an\nincreased risk that FHFA personnel are unaware of the organization-wide information\nsecurity controls applicable to the Agency and common security controls applicable to\nthe Agency\xe2\x80\x99s information systems. Furthermore, communication regarding Agency\npersonnel\xe2\x80\x99s responsibilities for developing, implementing, assessing, authorizing, and\n\n\n                                                 18\n\x0cCG\xe2\x80\x99s Independent Audit of FHFA\xe2\x80\x99s Information Security Program - 2011 -\n\n\nmonitoring those controls may be lacking. Hence, security controls may not be\nsuccessfully implemented and monitored. This may lead to the lack of effectively\nimplemented countermeasures to protect FHFA\xe2\x80\x99s information systems. Without\neffective security controls in place, the risk is increased that FHFA is unable to protect\nits critical information and information systems or data transmitted over the network\nfrom unauthorized access which may allow unauthorized users to read, add, delete or\nmodify sensitive information.\n\nRecommendation 1: We recommend that FHFA\xe2\x80\x99s CISO finalize the agency-wide\ninformation security program plan in accordance with NIST SP 800-53 Rev. 3\nrequirements, and disseminate and implement the plan.\n\n\n\n\n                                                 19\n\x0cCG\xe2\x80\x99s Independent Audit of FHFA\xe2\x80\x99s Information Security Program - 2011 -\n\n\nFinding 2 - FHFA Needs to Update Its Information Security Policies and\nProcedures to Address all Applicable NIST SP 800-53 Rev. 3 Components\n\nFHFA information security policies and procedures are documented based on the\ncontrols defined by NIST SP 800-53 Rev. 3. The policies and procedures are organized\nby and cover each of the NIST SP 800-53 Rev. 3 control families. However, FHFA\xe2\x80\x99s\ninformation system policies and procedures do not completely address the components\nwithin NIST SP 800-53 Rev. 3 control families applicable to the appropriate tailored set of\nbaseline controls.\nThe FHFA information system policies and procedures do not address recommended\ncomponents from the following NIST SP 800-53 Rev. 3 control families:\n\n   \xe2\x8e\xaf Access Control (AC)\n       o AC-2: Account Management\n       o AC-19: Access Control for Mobile Devices\n\n   \xe2\x8e\xaf Audit and Accountability (AU)\n\n       o AU-6: Audit Review, Analysis, and Reporting\n\n   \xe2\x8e\xaf Configuration Management (CM)\n\n       o CM-3: Configuration Change Control\n       o CM-8: Information System Component Inventory\n\n   \xe2\x8e\xaf Contingency Planning (CP)\n\n       o CP-9: Information System Backup\n\n   \xe2\x8e\xaf Incident Response (IR)\n\n       o IR-4: Incident Handling\n\n   \xe2\x8e\xaf Physical and Environmental Protection (PE)\n\n       o PE-2: Physical Access Authorizations\n       o PE-3: Physical Access Control\n       o PE-6: Monitoring Physical Access\n       o PE-8: Access Records\n\n   \xe2\x8e\xaf Personnel Security (PS)\n\n       o PS-8: Personnel Sanctions\n\n   \xe2\x8e\xaf Risk Assessment (RA)\n\n       o RA-5: Vulnerability Scanning\n\n   \xe2\x8e\xaf System and Information Integrity (SI)\n\n       o SI-4: Information System Monitoring\n       o SI-5: Security Alerts, Advisories, and Directives\n\n                                                 20\n\x0cCG\xe2\x80\x99s Independent Audit of FHFA\xe2\x80\x99s Information Security Program - 2011 -\n\n\nCG separately communicated the specific controls within each of the NIST control\nfamilies noted above that were not completely addressed to FHFA management. Some\nof these included:\n   \xe2\x8e\xaf\t Contingency Planning (CP-9: Information System Backup)\n      o\t Documenting the frequency of conducting backups of information contained in\n         the Agency\xe2\x80\x99s information systems;\n\n   \xe2\x8e\xaf Configuration Management (CM-3: Configuration Change Control)\n\n      o\t Documenting the retention requirements of records for configuration-\n         controlled system changes\n\n   \xe2\x8e\xaf Access Control (AC-2: Account Management)\n\n      o\t Documenting how group, system, and application accounts should be\n         managed; and\n\n   \xe2\x8e\xaf Incident Response (IR-4: Incident Handling)\n\n      o\t Documenting coordination of incident handling activities with contingency\n         planning activities.\n\nNIST SP 800-100, Information Security Handbook: A Guide for Managers, states:\n\n   Information security policy is an essential component of information security\n   governance\xe2\x80\x94without the policy, governance has no substance and rules to enforce.\n   Information security policy should be based on a combination of appropriate\n   legislation, such as FISMA; applicable standards, such as NIST Federal Information\n   Processing Standards (FIPS) and guidance; and internal agency requirements.\n\nNIST SP 800-12, An Introduction to Computer Security: A NIST Handbook, Section\n5.2.2 Basic Components of Issue-Specific Policy, states:\n\n   Computer security policies should be introduced in a manner that ensures that\n   management's unqualified support is clear, especially in environments where\n   employees feel inundated with policies, directives, guidelines, and procedures. The\n   organization's policy is the vehicle for emphasizing management's commitment to\n   computer security and making clear their expectations for employee performance,\n   behavior, and accountability.\n\nFHFA developed its information system policies and procedures in 2010 and is in the\nprocess of updating the policies and procedures to ensure the procedures completely\naddress the components within the control families from NIST SP 800-53 Rev. 3\napplicable to the FHFA information system environment based on NIST guidance for\napplying the appropriate tailored set of baseline controls. However, these key areas have\nnot been addressed to date.\n\nThe purpose of these policies and procedures is to define the agency-wide information\nsecurity program and practices. Without comprehensive information security policies\nand procedures, the likelihood is increased that information security may not be\naddressed throughout the lifecycle of FHFA\xe2\x80\x99s information systems.          Moreover,\n\n\n\n                                                 21\n\x0cCG\xe2\x80\x99s Independent Audit of FHFA\xe2\x80\x99s Information Security Program - 2011\n\n\nemployees and contractors may be performing tasks without clear direction or training,\npotentially increasing risk that the Agency\xe2\x80\x99s information or information systems could be\ncompromised. The result may be the exposure of FHFA\xe2\x80\x99s systems and information to\nunauthorized access, data loss, data manipulation, and system unavailability. In turn,\nFHFA could be exposed to financial and reputational risk should a breach of the\nconfidentiality, integrity, or availability of sensitive information occur.\n\nRecommendation 2: We recommend that FHFA\xe2\x80\x99s CISO complete the update of the\nFHFA information system policies and procedures to address all of the applicable\nbaseline controls within the control families from NIST SP 800-53 Rev. 3.\n\n\n\n\n                                                 22\n\x0cCG\xe2\x80\x99s Independent Audit of FHFA\xe2\x80\x99s Information Security Program - 2011\n\n\nFinding 3 - FHFA Needs to Develop an Agency-Wide Information Categorization\nPolicy and Methodology\n\nFHFA has not developed, disseminated, and implemented an agency-wide information\ncategorization policy and methodology based on FIPS PUB 199 as recommended by NIST\nSP 800-53 Rev. 3. According to FIPS PUB 199, information should be categorized\naccording to its information type and can be applicable to information in both electronic and\nnon-electronic form.\n\nNIST SP 800-53 Rev. 3 control RA-2, Risk Assessment Security Categorization, states\nthe following regarding information categorization:\n\n   The organization:\n   a.\t Categorizes information and the information system in accordance with\n       applicable Federal laws, Executive Orders, directives, policies, regulations,\n       standards, and guidance;\n   b.\t Documents the security categorization results (including supporting rationale) in\n       the security plan for the information system; and\n   c.\t Ensures the security categorization decision is reviewed and approved by the\n       authorizing official or authorizing official designated representative.\n\nIn addition, FIPS PUB 199 states:\n\n       The security category of an information type can be associated with both user\n       information and system information and can be applicable to information in either\n       electronic or non-electronic form. It can also be used as input in considering the\n       appropriate security category of an information system.\n\n       Establishing an appropriate security category of an information type essentially\n       requires determining the potential impact for each security objective associated\n       with the particular information type.\n\nFurthermore, NIST SP 800-60 Vol. 1 Rev. 1, Guide for Mapping Types of Information\nand Information Systems to Security Categories (NIST SP 800-60 Vol.1 Rev. 1), states:\n\n       FIPS PUB 199 establishes security categories for both information and\n       information systems. Information is categorized according to its information type.\n       An information type is a specific category of information (e.g., privacy, medical,\n       proprietary, financial, investigative, contractor sensitive, security management)\n       defined by an organization or, in some instances, by a specific law, Executive\n       Order, directive, policy, or regulation.\n\n       Agencies support the categorization process by establishing mission-based\n       information types for the organization. The approach to establishing mission-\n       based information types at an agency begins by documenting the agency\xe2\x80\x99s\n       mission and business areas. In the case of mission-based information, the\n\n\n                                                 23\n\x0cCG\xe2\x80\x99s Independent Audit of FHFA\xe2\x80\x99s Information Security Program - 2011 -\n\n\n       responsible individuals, in coordination with management, operational, enterprise\n       architecture, and security stakeholders, should compile a comprehensive set of\n       the agency\xe2\x80\x99s lines of business and mission areas. In addition, responsible\n       individuals should identify the applicable sub-functions necessary to accomplish\n       the organization\xe2\x80\x99s mission.\n\nAlthough FHFA has applied FIPS PUB 199 to the categorization of its information\nsystems, FHFA is maturing the process of applying FIPS PUB 199 to also include\ncategorizing FHFA\xe2\x80\x99s information in order to develop an agency-wide information\ncategorization policy and methodology as described in NIST SP 800-60 Vol. 1 Rev. 1.\n\nAn agency-wide information categorization policy and methodology facilitates data\nsecurity by identifying and communicating the level of protection in terms of\nconfidentiality, integrity, and availability required for the Agency\xe2\x80\x99s information. The lack\nof an information categorization policy and methodology limits the ability to properly\ncategorize information systems in order to identify and implement appropriate controls\nand may produce inconsistency in how information is handled, potentially exposing\ninformation to theft, compromise or inappropriate use. Ultimately, the lack of an\ninformation categorization policy increases the risk that FHFA could suffer a breach of\nsensitive data which may result in personal harm, loss of public trust, legal liability, or\nthe high costs of handling a breach.\n\nRecommendation 3: We recommend that FHFA\xe2\x80\x99s CIO coordinate with the executive\nleadership of the Agency to develop, disseminate, and implement an agency-wide\ninformation categorization policy and methodology.\n\n\n\n\n                                                 24\n\x0cCG\xe2\x80\x99s Independent Audit of FHFA\xe2\x80\x99s Information Security Program - 2011\n\n\nFinding 4 - FHFA Needs to Strengthen Tracking and Monitoring of Weaknesses\nand Deficiencies in Plan of Action and Milestones\n\nFHFA\xe2\x80\x99s POA&M for information systems did not provide for adequate tracking and\nmonitoring of weaknesses or deficiencies in security controls noted as a result of\ncontrols assessments during the security and authorization process. The POA&M\nidentifies tasks to be accomplished, the resources required, milestones in meeting the\ntasks, and the scheduled completion dates for the milestones. The POA&M is used by\nthe Agency to monitor progress in correcting weaknesses. POA&Ms should be updated\non an ongoing basis as part of the continuous monitoring process.\n\nThe Federal Housing Finance Agency Plan of Action and Milestones (POA&M) Process\nprocedures state that system owners/program offices must define scheduled dates of\ncompletion for all weaknesses. From a total population of 41 POA&Ms for the GSS, 13\nwere not assigned a scheduled date of completion.\n\nPOA&Ms that were not assigned a scheduled date of completion included the lack of a\nformal information security program plan, a formal Enterprise Architecture document, a\nformal Critical Infrastructure Plan, a formal Risk Management Strategy, and a formal\nMission/Business Process Definition. These are all key organization-wide information\nsecurity program management controls as defined by NIST SP 800-53 Rev. 3. These\nformal documents ensure that security considerations are addressed throughout the\nlifecycle of the Agency\xe2\x80\x99s information systems, including protection of the Agency\xe2\x80\x99s\ninformation and critical infrastructure, as well as implementing a risk management\nstrategy consistently across the Agency.\n\nAdditionally, POA&Ms lacking a scheduled date of completion included weaknesses\nrelated to configuration management and remote access controls. If weaknesses in\nthese two areas remain unaddressed, the risk increases for potential exploitation of\ndeficiencies or weaknesses resulting in unauthorized disclosure, use, or modification of\nFHFA information.\n\nIn addition, program offices/system owners did not ensure remedial actions were taken\nin a timely manner to mitigate risk to information systems under their purview for the\nGSS, HSPD-12, and xWorks systems as required by the FHFA\xe2\x80\x99s Program Management\nProcedures. CG reviewed the POA&M reports for these systems and noted a number\nof POA&Ms were past due the scheduled date of completion and no further updates\nwere provided. Table 3 below details the results of the analysis performed.\n\nTable 3: Results of POA&M Analysis\nSystem                Total # of POA&Ms                      # of Past Due POA&Ms\nGSS                               41                                    5\nHSPD-12                           24                                    1\nxWorks                            3                                     1\n\n\n\n\n                                                 25\n\x0cCG\xe2\x80\x99s Independent Audit of FHFA\xe2\x80\x99s Information Security Program - 2011 -\n\n\nIt was unclear whether progress was being made to remediate these weaknesses and\nwhen they were expected to be completed. The longer the timeframe that weaknesses\nare not corrected, the greater the risk that the Agency\xe2\x80\x99s information and information\nsystems could be exploited for unauthorized purposes.\n\nNIST SP 800-53 Rev. 3 control CA-5, Security Assessment and Authorization Plan of\nAction and Milestones, states:\n\n   The organization:\n   a.\t Develops a plan of action and milestones for the information system to document\n       the organization\xe2\x80\x99s planned remedial actions to correct weaknesses or\n       deficiencies noted during the assessment of the security controls and to reduce\n       or eliminate known vulnerabilities in the system; and\n   b.\t Updates existing plan of action and milestones [Assignment: organization-\n       defined frequency] based on the findings from security controls assessments,\n       security impact analyses, and continuous monitoring activities.\n\nNIST SP 800-53 Rev. 3 control PM-4, Program Management Plan of Action and\nMilestones Process, states:\n\n   The organization implements a process for ensuring that plans of action and\n   milestones for the security program and the associated organizational information\n   systems are maintained and document the remedial information security actions to\n   mitigate risk to organizational operations and assets, individuals, other\n   organizations, and the Nation.\n\nFHFA Plan of Action and Milestones Process procedures states:\n\n   The scheduled date of completion should be determined based on a realistic\n   estimate of the amount of time it will take to allocate the required resources,\n   implement the corrective action(s), and complete all associated milestones.\n\n   The scheduled date of completion should include the month, day, and year, and may\n   not be changed after the initial POA&M entry; progress toward completion is tracked\n   through milestones. If the time to correct the weakness extends beyond the original\n   scheduled date of completion, the status of the weakness must be changed to\n   \xe2\x80\x98delayed,\xe2\x80\x99 and reasons for the delay should be noted in the \xe2\x80\x98Weakness Comment\xe2\x80\x99\n   field. A revised scheduled date of completion must be recorded in the \xe2\x80\x98Changes to\n   Milestones\xe2\x80\x99 column and reasons for the change must be noted in the \xe2\x80\x98Comments\xe2\x80\x99\n   field.\n\nAlthough FHFA has documented POA&M procedures, management oversight was\nlacking to ensure the procedures were followed. When weaknesses are identified, the\nrelated risks and corrective actions should be assessed, tracked and monitored, to\nensure effective remediation in a timely manner. In the interim, the systems remain\nsusceptible to risks of unauthorized access, viruses, malicious code, and exploitable\n\n\n                                                 26\n\x0cCG\xe2\x80\x99s Independent Audit of FHFA\xe2\x80\x99s Information Security Program - 2011 -\n\n\nvulnerabilities.\n\nRecommendation 4: We recommend that FHFA\xe2\x80\x99s CISO develop, disseminate, and\nimplement a process to monitor compliance with FHFA POA&M procedures.\n\n\n\n\n                                                 27\n\x0cCG\xe2\x80\x99s Independent Audit of FHFA\xe2\x80\x99s Information Security Program - 2011 -\n\n\nFinding 5 - FHFA Needs to Strengthen Remediation of Vulnerability Assessment\nWeaknesses\n\nThe weaknesses noted in the June 8, 2011, vulnerability assessment report for the GSS\nand the April 21, 2011, vulnerability assessment report for xWorks were not tracked and\nmonitored for remediation. The vulnerability assessment report noted a high number of\nvulnerabilities for the GSS. These weaknesses were due to the absence of patching and\nsoftware updates, which indicate significant configuration management issues. In addition,\nthere were a high number of vulnerabilities noted from the scans for the xWorks system.\nThe POA&M reports for both the GSS and xWorks systems did not include tracking and\nremediation of any vulnerabilities noted from these scans.11\n\nNIST Special Publication (SP) 800-53 Rev. 3 control RA-5, Risk Assessment\nVulnerability Scanning, states:\n\n      The organization:\n      a.\t Scans for vulnerabilities in the information system and hosted applications\n          [Assignment: organization-defined frequency and/or randomly in accordance with\n          organization-defined process] and when new vulnerabilities potentially affecting\n          the system/applications are identified and reported;\n      b.\t Employs vulnerability scanning tools and techniques that promote interoperability\n          among tools and automate parts of the vulnerability management process by\n          using standards for:\n          \xe2\x8e\xaf Enumerating platforms, software flaws, and improper configurations;\n          \xe2\x8e\xaf Formatting and making transparent, checklists and test procedures; and\n          \xe2\x8e\xaf Measuring vulnerability impact;\n      c.\t Analyzes vulnerability scan reports and results from security control\n          assessments;\n      d.\t Remediates legitimate vulnerabilities [Assignment: organization-defined\n          response times] in accordance with an organizational assessment of risk; and\n      e.\t Shares information obtained from the vulnerability scanning process and security\n          control assessments with designated personnel throughout the organization to\n          help eliminate similar vulnerabilities in other information systems (i.e., systemic\n          weaknesses or deficiencies).\n\nNIST SP 800-53 Rev. 3 control CA-5, Security Assessment and Authorization Plan of\nAction and Milestones, states:\n\n      The organization:\n      a.\t Develops a plan of action and milestones for the information system to document\n          the organization\xe2\x80\x99s planned remedial actions to correct weaknesses or\n          deficiencies noted during the assessment of the security controls and to reduce\n          or eliminate known vulnerabilities in the system; and\n\n11\n     The Agency recognized underlying problems with its analysis and reporting of high vulnerabilities.\n\n\n                                                      28\n\x0cCG\xe2\x80\x99s Independent Audit of FHFA\xe2\x80\x99s Information Security Program - 2011 -\n\n\n   b.\t Updates existing plan of action and milestones [Assignment: organization-\n       defined frequency] based on the findings from security controls assessments,\n       security impact analyses, and continuous monitoring activities.\n\nFederal Housing Finance Agency Risk Assessment Procedures states:\n\n   Vulnerability Scanning \xe2\x80\x93 Risk Assessment, (RA-5)\n\n\n   The Senior Information Security Specialist is responsible for conducting and\n   analyzing vulnerability scans and coordinating the remediation activities with the\n   system engineers in accordance with the following procedure:\n\n       1.\t Scan for vulnerabilities in the information systems and applications at least\n           quarterly, whenever new vulnerabilities potentially affecting the\n           system/applications are identified and reported, when directed to do so by the\n           CISO, or when requested by the SO [System Owner].\n       2.\t Conduct vulnerability scans using the approved scanning tool or similar\n           scanning tool approved by the CISO.\n       3.\t Ensure that the scanning tool is configured with the most current set of plug-\n           ins prior to conducting any vulnerability scans. This ensures that the most\n           current list of known vulnerabilities is used to evaluate the information\n           systems.\n       4.\t Maintain detailed records and documentation for vulnerability scans that\n           demonstrates the breadth and depth of coverage (i.e., information system\n           components scanned and vulnerabilities checked).\n       5.\t Ensure that the vulnerability scanning process employs techniques that\n           promote interoperability among tools and automates parts of the vulnerability\n           management process by using standards for:\n           \xe2\x8e\xaf Enumerating platforms, software flaws, and improper configurations;\n           \xe2\x8e\xaf Formatting and making transparent, checklists and test procedures; and\n           \xe2\x8e\xaf Measuring vulnerability impact\n       6.\t Work with the system engineers to remediate legitimate vulnerabilities as\n           soon as possible but no longer than 30 days after detection.\n       7.\t Share information obtained from the vulnerability scanning process with\n           designated personnel throughout the organization to help eliminate similar\n           vulnerabilities in other information systems (i.e., systemic weaknesses or\n           deficiencies).\n       8.\t Prepare detailed and summary Vulnerability Assessment Reports to be\n           included as artifacts in the C&A packages.\n\nAlthough FHFA has documented procedures addressing remediation of weaknesses\nobserved from vulnerability scans, FHFA management did not place a priority on\nmonitoring the remediation process to ensure the weaknesses noted from the scans\n\n\n                                                 29\n\x0cCG\xe2\x80\x99s Independent Audit of FHFA\xe2\x80\x99s Information Security Program - 2011 -\n\n\nwere tracked in the POA&Ms and remediated.\n\nAddressing vulnerabilities in a timely manner limits the opportunity for attackers to\nexploit vulnerabilities and gain access to sensitive data or otherwise expose FHFA\xe2\x80\x99s\nsystems to unauthorized access, data loss, data manipulation, and system\nunavailability. The vulnerabilities that were not remediated could lead to total system\ncompromise.\n\nRecommendation 5: We recommend that FHFA\xe2\x80\x99s CISO establish controls for tracking,\nmonitoring, and remediating weaknesses noted from the vulnerability scans.\n\n\n\n\n                                                 30\n\x0cCG\xe2\x80\x99s Independent Audit of FHFA\xe2\x80\x99s Information Security Program - 2011 -\n\n\n\nAppendix I \xe2\x80\x93 Objective, Scope and Methodology\n\nThe objective of this performance audit was to evaluate the effectiveness of FHFA\xe2\x80\x99s\ninformation security program and practices, including FHFA\xe2\x80\x99s compliance with FISMA\nand related information security policies, procedures, standards, and guidelines. FISMA\nrequires organizations to develop and implement an organization-wide information\nsecurity program to address information security for the information and information\nsystems that support the operations and assets of the organization, including those\nprovided or managed by another organization, contractor, or other source. The FHFA\xc2\xad\nOIG\xe2\x80\x99s methodology for the FY 11 FISMA audit was a programmatic review of FHFA\xe2\x80\x99s\ngovernance structure related to the implementation and monitoring of FISMA\nrequirements, and how FHFA has applied the NIST\xe2\x80\x99s RMF for managing security\nthroughout the lifecycle of their information systems. The FHFA OIG contracted with\nCG to evaluate FHFA\xe2\x80\x99s compliance with FISMA requirements and report on FHFA\xe2\x80\x99s IT\ncontrols over its implementation of the NIST RMF. Based on the approach outlined by\nthe FHFA-OIG, CG obtained an overview of the FHFA\xe2\x80\x99s Office of the Chief Information\nOfficer oversight role in the following areas:\n\n   \xe2\x8e\xaf Organizational Requirements\n   \xe2\x8e\xaf Information Security Policies and Procedures\n   \xe2\x8e\xaf Risk Assessments\n   \xe2\x8e\xaf System Security Plans\n   \xe2\x8e\xaf Security Assessment and Authorization\n   \xe2\x8e\xaf Security Awareness, Training, and Education\n   \xe2\x8e\xaf Security Incident Reporting\n   \xe2\x8e\xaf Contingency Planning\n   \xe2\x8e\xaf System Configuration Management\n   \xe2\x8e\xaf Plans of Action and Milestones\n\nIn addition, CG performed an audit of a selection of internal control activities within each\nof the following six phases of NIST\xe2\x80\x99s RMF:\n\n   \xe2\x8e\xaf Categorizing information systems\n   \xe2\x8e\xaf Selecting security controls for information systems\n   \xe2\x8e\xaf Implementing information system security controls\n   \xe2\x8e\xaf Assessing information system security controls\n   \xe2\x8e\xaf Authorizing information systems\n   \xe2\x8e\xaf Monitoring information system security controls\n\n\n                                                 31\n\x0cCG\xe2\x80\x99s Independent Audit of FHFA\xe2\x80\x99s Information Security Program - 2011\n\n\nAccordingly, CG tested program level controls (including security categorization,\ninformation system inventory, risk assessment, security planning, security assessment,\nplan of action and milestones, security authorization, and continuous monitoring) for a\nsubset of FHFA systems to determine whether FHFA executed the six security program\nphases in accordance with the following key standards and guidelines:\n\n   \xe2\x8e\xaf\t FIPS Publication (PUB) 199, Standards for Security Categorization of Federal\n      Information and Information Systems (Security Categorization)\n   \xe2\x8e\xaf\t FIPS PUB 200, Minimum Security Requirements for Federal Information and\n      Information Systems (Minimum Security Controls)\n   \xe2\x8e\xaf\t NIST Special Publication (SP) 800-18 Rev. 1, Guide for Developing Security\n      Plans for Federal Information Systems (Security Planning)\n   \xe2\x8e\xaf\t NIST SP 800-30, Risk Management Guide for Information Technology Systems\n      (Risk Assessment)\n   \xe2\x8e\xaf\t NIST SP 800-37 Rev. 1, Guide for Applying the Risk Management Framework to\n      Federal Information Systems: A Security Life Cycle Approach (System Risk\n      Management Framework)\n   \xe2\x8e\xaf\t NIST SP 800-39, Managing Information Security Risk Organization, Mission, and\n      Information System View (Enterprise-Wide Risk Management)\n   \xe2\x8e\xaf\t NIST SP 800-53 Rev. 3, Recommended Security Controls for Federal\n      Information Systems and Organizations (Recommended Security Controls)\n   \xe2\x8e\xaf\t NIST SP 800-53A, Guide for Assessing the Security Controls in Federal\n      Information Systems: Building Effective Security Assessment Plans (Security\n      Control Assessment)\n   \xe2\x8e\xaf\t NIST SP 800-60 Vol. 1 Rev.1, Volume 1: Guide for Mapping Types of Information\n      and Information Systems to Security Categories (Security Category Mapping)\n\nThe subset of systems tested included the GSS, xWorks, FHFA\xe2\x80\x99s official record of\nsupervision activities for the Division of Enterprise Regulation, and HSPD-12, a\ncontractor system that allows credential bearers to be identified in several standard\nways including by photographic images printed on identification cards as well as by\nbiometric data (fingerprints), Personal Information Numbers, and other electronic\ncredentials (digital certificates) stored on the card chip.\n\nIn order to implement information system security controls as specified by the RMF,\npolicies and procedures for each of the eighteen NIST control families are required. CG\nperformed a detailed review of design for each policy provided and determined whether\nthe policies and procedures, if properly implemented would comply with NIST\nrequirements for each security control family as outlined in NIST SP 800-53 Rev. 3.\n\nCG conducted this audit in accordance with GAGAS issued by the Comptroller General\nof the United States. Those standards require that audits be planned and performed to\n\n\n                                                 32\n\x0cCG\xe2\x80\x99s Independent Audit of FHFA\xe2\x80\x99s Information Security Program - 2011 -\n\n\nobtain sufficient, appropriate evidence to provide a reasonable basis for findings and\nconclusions based on the audit objective. CG believes that the evidence obtained\nprovides a reasonable basis for the finding and conclusions included herein, based on\nthe audit objective.\n\nTo assist in the audit, CG reviewed prior year reports to identify potential risk areas.\nThe prior year reports CG reviewed include the FHFA\xe2\x80\x99s FY 2010 FISMA evaluation12\nand FY 2009 independent audit report on privacy and data protection. 13 CG also\nreviewed GAO\xe2\x80\x99s report on opportunities for improving the Federal Housing Finance\nAgency's internal controls and accounting procedures,14 GAO\xe2\x80\x99s report on opportunities\nfor improving information system controls,15 and GAO\xe2\x80\x99s financial audit report for FHFA\xe2\x80\x99s\nFY 2009 and FY 2010 financial statements. 16 Additionally, CG reviewed FHFA\xe2\x80\x99s\npolicies, procedures and records, and conducted interviews of FHFA employees and\ncontractor personnel.\n\nA significant deficiency under FISMA is a weakness in an agency\xe2\x80\x99s overall information\nsystems security program or management control structure, or within one or more\ninformation systems, that significantly restricts the capability of the agency to carry out\nits mission or compromises the security of its information, information systems,\npersonnel, or other resources, operations, or assets. In this context, the risk is great\nenough that the agency head and outside agencies must be notified and immediate or\nnear-immediate corrective action must be taken. As required in FISMA (section 3544(c)\n(3)), agencies are to report any significant deficiency in policy, procedure, or practice as\na material weakness in reporting under the Federal Managers\xe2\x80\x99 Financial Integrity Act\nand if relating to financial management systems, as an instance of a lack of substantial\ncompliance under the Federal Financial Management Improvement Act.\n\nCG does not consider the deficiencies noted in this report to be a significant deficiency\nunder FISMA. However, CG concluded collectively that the deficiencies are significant\nin context of the audit objective as defined for performance audits under GAGAS.\nAccording to these standards,17 significance is defined as the relative importance of a\nmatter within the context in which it is being considered, including quantitative and\nqualitative factors. Such factors include the magnitude of the matter in relation to the\nsubject matter, the relevance of the matter, the needs and interests of an objective third\nparty with knowledge of the relevant information, and the impact of the matter to the\n\n\n\n   Federal Housing Finance Agency Fiscal Year 2010 Independent Auditor\xe2\x80\x99s Federal Information Security\n12\n\nManagement Act (FISMA) Report, FHFA Audit Report No. 10-A-03-0TIM, September 30, 2010\n    FY 2009 Independent Audit Report on Privacy and Data Protection, Audit Report No. 09-A-01\xc2\xad\n13\n\nOCAO/OTIM,\n14\n   Management Report: Opportunities for Improvement in the Federal Housing Finance Agency's Internal\nControls and Accounting Procedures, GAO-11-398R, April 29, 2011\n   Information Security: Opportunities Exist for the Federal Housing Finance Agency to Improve Controls,\n15\n\nGAO-10-528, April 2010\n   Financial Audit: Federal Housing Finance Agency\xe2\x80\x99s Fiscal Years 2010 and 2009 Financial Statements,\n16\n\nGAO-11-151, November 2010\n   Paragraph 7.04, Significance in a Performance Audit, GAO-07-731G (07/07), p. 123.\n17\n\n\n\n\n                                                  33\n\x0cCG\xe2\x80\x99s Independent Audit of FHFA\xe2\x80\x99s Information Security Program - 2011\n\n\naudited program or activity. Professional judgment assists auditors when evaluating the\nsignificance of matters within the context of the audit objectives.\n\n\n\n\n                                                 34\n\x0cCG\xe2\x80\x99s Independent Audit of FHFA\xe2\x80\x99s Information Security Program - 2011\n\n\nAppendix II \xe2\x80\x93 Summary of Controls Tested\n\nTable 4: Results of Audit\n                                                                              Related NIST SP 800-53 Rev. 3            Results of\n                                                                                     Control Tested                      Audit\n Information Security Program                                                                PM-1                   Issue noted. See\n                                                                                                                    Recommendation\n                                                                               Information Security Program Plan\n                                                                                                                    #1\n\n Information Security Policies and Procedures                                                                       Issue noted. See\n                                                                               All NIST SP 800-53 Rev. 3 Controls   Recommendation\n                                                                                                                    #2\n\n NIST Risk Management Framework (RMF):\n\n RMF Step 1: Categorize Information System\n\n TASK 1-1: Categorize the information system and document the results of                     RA-2                   Issue noted. See\n the security categorization in the security plan.                                                                  Recommendation\n                                                                                    Security Categorization\n                                                                                                                    #3\n\n TASK 1-2: Describe the information system (including system boundary)                      PL-2                    No issues noted.\n and document the description in the security plan.                                  System Security Plan\n\n TASK 1-3: Register the information system with appropriate organizational                    PM-5                  No issues noted.\n program/management offices.                                                      Information System Inventory\n\n RMF Step 2: Select Security Controls\n\n TASK 2-1: Identify the security controls that are provided by the                                                  No issues noted.\n organization as common controls for organizational information systems                     PL-2\n and document the controls in a security plan (or equivalent document).\n                                                                                     System Security Plan\n TASK 2-2: Select the security controls for the information system and                                              No issues noted.\n document the controls in the security plan.\n\n\n\n\n                                                                         35\n\x0cCG\xe2\x80\x99s Independent Audit of FHFA\xe2\x80\x99s Information Security Program - 2011 -\n\n\n                                                                             Related NIST SP 800-53 Rev. 3      Results of\n                                                                                    Control Tested                Audit\n TASK 2-3: Develop a strategy for the continuous monitoring of security                    CA-7              No issues noted.\n control effectiveness and any proposed or actual changes to the\n                                                                                   Continuous Monitoring\n information system and its environment of operation.\n\n TASK 2-4: Review and approve the security plan.                                          PL-2               No issues noted.\n                                                                                   System Security Plan\n\n RMF Step 3: Implement Security Controls\n\n TASK 3-1: Implement the security controls specified in the security plan.                                   No issues noted.\n                                                                                          PL-2\n TASK 3-2: Document the security control implementation, as appropriate,                                     No issues noted.\n in the security plan, providing a functional description of the control           System Security Plan\n implementation (including planned inputs, expected behavior, and expected\n outputs).\n\n RMF Step 4: Assess Security Controls\n\n TASK 4-1: Develop, review, and approve a plan to assess the security                                        No issues noted.\n controls.\n\n TASK 4-2: Assess the security controls in accordance with the assessment                                    No issues noted.\n procedures defined in the security assessment plan.\n                                                                                            CA-2\n TASK 4-3: Prepare the security assessment report documenting the                                            No issues noted.\n issues, findings, and recommendations from the security control                   Security Assessments\n assessment.\n\n TASK 4-4: Conduct initial remediation actions on security controls based                                    No issues noted.\n on the findings and recommendations of the security assessment report\n and reassess remediated control(s), as appropriate.\n\n\n\n\n                                                                       36\n\x0cCG\xe2\x80\x99s Independent Audit of FHFA\xe2\x80\x99s Information Security Program - 2011 -\n\n\n                                                                                  Related NIST SP 800-53 Rev. 3         Results of\n                                                                                         Control Tested                   Audit\n RMF Step 5: Authorize Information System\n\n TASK 5-1: Prepare the plan of action and milestones based on the findings                        CA-5               Issue noted. See\n and recommendations of the security assessment report excluding any                                                 Recommendation\n                                                                                     Plan of Action and Milestones\n remediation actions taken.                                                                                          #4.\n\n TASK 5-2: Assemble the security authorization package and submit the                           CA-6                 No issues noted.\n package to the authorizing official for adjudication.                                  Security Authorization\n\n TASK 5-3: Determine the risk to organizational operations (including                                                No issues noted.\n mission, functions, image, or reputation), organizational assets, individuals,                  RA-3\n other organizations, or the Nation.\n                                                                                           Risk Assessment\n TASK 5-4: Determine if the risk to organizational operations, organizational                                        No issues noted.\n assets, individuals, other organizations, or the Nation is acceptable.\n\n RMF Step 6: Monitor Security Controls\n\n TASK 6-1: Determine the security impact of proposed or actual changes to                                            No issues noted.\n the information system and its environment of operation.\n\n TASK 6-2: Assess a selected subset of the technical, management, and                           CA-7                 No issues noted.\n operational security controls employed within and inherited by the                     Continuous Monitoring\n information system in accordance with the organization-defined monitoring\n strategy.\n\n TASK 6-3: Conduct remediation actions based on the results of ongoing                          RA-5                 Issue noted. See\n monitoring activities, assessment of risk, and outstanding items in the plan                                        Recommendation\n                                                                                        Vulnerability Scanning\n of action and milestones.                                                                                           #5.\n\n\n\n\n                                                                         37\n\x0cCG\xe2\x80\x99s Independent Audit of FHFA\xe2\x80\x99s Information Security Program - 2011 -\n\n\n                                                                               Related NIST SP 800-53 Rev. 3      Results of\n                                                                                      Control Tested                Audit\n TASK 6-4: Update the security plan, security assessment report, and plan                                      No issues noted.\n of action and milestones based on the results of the continuous monitoring\n process.\n\n TASK 6-5: Report the security status of the information system (including                                     No issues noted.\n the effectiveness of security controls employed within and inherited by the\n system) to the authorizing official and other appropriate organizational\n officials on an ongoing basis in accordance with the monitoring strategy.\n                                                                                             CA-7\n TASK 6-6: Review the reported security status of the information system             Continuous Monitoring     No issues noted.\n (including the effectiveness of security controls employed within and\n inherited by the system) on an ongoing basis in accordance with the\n monitoring strategy to determine whether the risk to organizational\n operations, organizational assets, individuals, other organizations, or the\n Nation remains acceptable.\n\n TASK 6-7: Implement an information system decommissioning strategy,                                           No issues noted.\n when needed, which executes required actions when a system is removed\n from service.\n\n\n\n\n                                                                         38\n\x0cAPPENDIX B\nFHFA\xe2\x80\x99s Comments to FHFA-OIG\xe2\x80\x99s Draft Report\n\n\n\n\n     Federal Housing Finance Agency Office of Inspector General \xe2\x80\xa2 AUD-2011-002 \xe2\x80\xa2 September 29, 2011\n                                                  vii\n\x0cFederal Housing Finance Agency Office of Inspector General \xe2\x80\xa2 AUD-2011-002 \xe2\x80\xa2 September 29, 2011\n                                             viii\n\x0cFederal Housing Finance Agency Office of Inspector General \xe2\x80\xa2 AUD-2011-002 \xe2\x80\xa2 September 29, 2011\n                                              ix\n\x0cFederal Housing Finance Agency Office of Inspector General \xe2\x80\xa2 AUD-2011-002 \xe2\x80\xa2 September 29, 2011\n                                              x\n\x0cFederal Housing Finance Agency Office of Inspector General \xe2\x80\xa2 AUD-2011-002 \xe2\x80\xa2 September 29, 2011\n                                              xi\n\x0cAPPENDIX C\nFHFA-OIG\xe2\x80\x99s Response to FHFA\xe2\x80\x99s Comments\n\nOn September 19, 2011, FHFA provided a response (Appendix B) to the draft of this report.\nFHFA concurred with all recommendations made and described actions it plans to take or has\ntaken to address the issues identified in the report (Appendix A). Based on FHFA\xe2\x80\x99s response,\nFHFA-OIG considers the proposed actions sufficient to resolve the recommendations. However,\nthe recommendations will remain open until such time as FHFA-OIG determines that agreed\nupon corrective actions are completed and responsive. See Appendix D of this report for a\nsummary of management\xe2\x80\x99s comments on the recommendations.\n\nIn response to recommendation five, FHFA expressed concern about the output of the\nvulnerability scanning product in use, noting that the raw scanning data would not necessarily be\nindicative of system security vulnerabilities until it had been further evaluated by security\nanalysts. In this regard, FHFA is taking action to enhance its analysis of vulnerabilities as stated\nin its response. FHFA-OIG agrees that not all of the numerous potential vulnerabilities\nidentified by the scanning product would require remediation and that analysis of the raw data is\nan important part of the remediation process. FHFA agreed that the vulnerability management\nassessment program requires enhancements, which will improve analysis techniques and\nreporting. Accordingly, FHFA stated it will incorporate enhancements to the vulnerability\nprogram intended to improve the ability to analyze, monitor, and track vulnerabilities by\nFebruary 29, 2012.\n\n\n\n\n      Federal Housing Finance Agency Office of Inspector General \xe2\x80\xa2 AUD-2011-002 \xe2\x80\xa2 September 29, 2011\n                                                   xii\n\x0cAPPENDIX D\nSummary of Management\xe2\x80\x99s Comments on the Recommendations\n\nThis table presents the management response to the recommendations in FHFA-OIG\xe2\x80\x99s report and\nthe status of the recommendations as of the date of report issuance.\n\n                                                   Expected\n                Corrective Action: Taken or       Completion       Monetary      Resolved:a Yes     Open or\nRec. No.                   Planned                   Date          Benefits          or No          Closedb\n   1.         A FHFA IT Security Information       10/31/2011        $0               Yes            Open\n              Security Program Plan has been\n              completed and is currently being\n              reviewed by management.\n    2.        FHFA is currently conducting its     02/02/2012          $0              Yes            Open\n              annual review of IT security\n              policies and procedures, and as\n              necessary will incorporate FHFA-\n              OIG\xe2\x80\x99s findings into the annual\n              review and update of the policies\n              and procedures.\n    3.        FHFA\xe2\x80\x94in coordination with all        09/28/2012          $0              Yes            Open\n              divisions and offices\xe2\x80\x94will\n              develop an agency-wide\n              information classification policy.\n    4.        FHFA will strengthen the             03/30/2012          $0              Yes            Open\n              POA&M monitoring process and\n              will provide additional POA&M\n              training to system owners\n              responsible for assigning\n              resources and scheduling actions\n              to remediate vulnerabilities.\n    5.        FHFA is incorporating                02/29/2012          $0              Yes            Open\n              enhancements to the vulnerability\n              management program, which will\n              improve their ability to analyze,\n              monitor, and track vulnerabilities.\n\na\n Resolved means \xe2\x80\x93 (1) Management concurs with the recommendation, and the planned, ongoing, and completed\ncorrective action is consistent with the recommendation; (2) Management does not concur with the recommendation,\nbut alternative action meets the intent of the recommendation; or (3) Management agrees to the FHFA-OIG\nmonetary benefits, a different amount, or no ($0) amount. Monetary benefits are considered resolved as long as\nmanagement provides an amount.\nb\n  Once the FHFA-OIG determines that the agreed-upon corrective actions have been completed and are responsive\nto the recommendations, the recommendations can be closed.\n\n\n\n\n         Federal Housing Finance Agency Office of Inspector General \xe2\x80\xa2 AUD-2011-002 \xe2\x80\xa2 September 29, 2011\n                                                      xiii\n\x0cADDITIONAL INFORMATION AND COPIES\n\n\nFor additional copies of this report:\n\n       \xe2\x80\xa2   Call the Office of Inspector General (OIG) at: 202-408-2544\n\n       \xe2\x80\xa2   Fax your request to: 202-445-2075\n\n       \xe2\x80\xa2   Visit the OIG website at: www.fhfaoig.gov\n\n\n\nTo report alleged fraud, waste, abuse, mismanagement, or any other kind of criminal or\nnoncriminal misconduct relative to FHFA\xe2\x80\x99s programs or operations:\n\n       \xe2\x80\xa2   Call our Hotline at: 1-800-793-7724\n\n       \xe2\x80\xa2   Fax us the complaint directly to: 202-445-2075\n\n       \xe2\x80\xa2   E-mail us at: oighotline@fhfa.gov\n\n       \xe2\x80\xa2   Write to us at: FHFA Office of Inspector General\n                           Attn: Office of Investigation \xe2\x80\x93 Hotline\n                           1625 Eye Street, NW\n                           Washington, DC 20006-4001\n\n\n\n\n      Federal Housing Finance Agency Office of Inspector General \xe2\x80\xa2 AUD-2011-002 \xe2\x80\xa2 September 29, 2011\n                                                   xiv\n\x0c"